CVE-2010-1163Improper Input Validation in Miller Sudo

CWE-264CWE-20Improper Input Validation8 documents8 sources
Severity
6.9MEDIUMNVD
EPSS
0.0%
top 86.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Sudo Project SudoTodd Miller Sudo
Timeline
PublishedApr 16
Latest updateMay 2

Description

The command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ".", which allows local users to execute arbitrary commands via a Trojan horse executable, as demonstrated using sudoedit, a different vulnerability than CVE-2010-0426.

CVSS vector

AV:L/AC:M/C:C/I:C/A:CExploitability: 3.4 | Impact: 10.0

Affected Packages2 packages

Debiansudo_project/sudo< 1.7.2p6-1+3
NVDtodd_miller/sudo21 versions+20

🔴Vulnerability Details

3
GHSA
GHSA-hh7m-2j26-qw2m: The command matching functionality in sudo 12022-05-02
OSV
CVE-2010-1163: The command matching functionality in sudo 12010-04-16
CVEList
CVE-2010-1163: The command matching functionality in sudo 12010-04-16

📋Vendor Advisories

3
Cisco
Sudo sudoedit Local Command Privilege Escalation Vulnerability2010-04-19
Red Hat
sudo: incomplete fix for the sudoedit privilege escalation issue CVE-2010-04262010-04-13
Debian
CVE-2010-1163: sudo - The command matching functionality in sudo 1.6.8 through 1.7.2p5 does not proper...2010

💬Community

1
Bugzilla
CVE-2010-1163 sudo: incomplete fix for the sudoedit privilege escalation issue CVE-2010-04262010-04-08
CVE-2010-1163 — Improper Input Validation | cvebase